Using artificial anomalies to detect unknown and known network intrusions

Authors:
W. Fan;M. Miller;S. Stolfo;W. Lee;P. Chan
Affiliations:
IBM T. J. Watson Research, Hawthorne, NY;Computer Science, Columbia University, New York, NY;Computer Science, Columbia University, New York, NY;College of Computer Science, Georgia Tech, Atlanta, GA;Computer Science, Florida Institute of Technology, Melbourn, FL
Venue:
Knowledge and Information Systems
Year:
2004

Citing 7
Cited 10

Learning to classify text from labeled and unlabeled documents

AAAI '98/IAAI '98 Proceedings of the fifteenth national/tenth conference on Artificial intelligence/Innovative applications of artificial intelligence
Learning Program Behavior Profiles for Intrusion Detection

Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Experience with EMERALD to Date

Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Benchmarking Anomaly-Based Detection Systems

DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)

A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)

Visualization assisted detection of sybil attacks in wireless networks

Proceedings of the 3rd international workshop on Visualization for computer security
Interactive wormhole detection and evaluation

Information Visualization
An evaluation of dimension reduction techniques for one-class classification

Artificial Intelligence Review
Review: Intrusion detection by machine learning: A review

Expert Systems with Applications: An International Journal
Review: The use of computational intelligence in intrusion detection systems: A review

Applied Soft Computing
On integrating event definition and event detection

Knowledge and Information Systems
Architecture of distributed intrusion detection system based on anomalies

INES'10 Proceedings of the 14th international conference on Intelligent engineering systems
Machine Learning Methods For Detecting Patterns Of Management Fraud

Computational Intelligence
Effective detection of sophisticated online banking fraud on extremely imbalanced data

World Wide Web
One class random forests

Pattern Recognition

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intrusion detection systems (IDSs) must be capable of detecting new and unknown attacks, or anomalies. We study the problem of building detection models for both pure anomaly detection and combined misuse and anomaly detection (i.e., detection of both known and unknown intrusions). We show the necessity of artificial anomalies by discussing the failure to use conventional inductive learning methods to detect anomalies. We propose an algorithm to generate artificial anomalies to coerce the inductive learner into discovering an accurate boundary between known classes (normal connections and known intrusions) and anomalies. Empirical studies show that our pure anomaly-detection model trained using normal and artificial anomalies is capable of detecting more than 77% of all unknown intrusion classes with more than 50% accuracy per intrusion class. The combined misuse and anomaly-detection models are as accurate as a pure misuse detection model in detecting known intrusions and are capable of detecting at least 50% of unknown intrusion classes with accuracy measurements between 75 and 100% per class.